internal/vulns: disable display of vulns for stdlib pages at master

The resolved version for stdlib pages at master is a
v0-prefixed psuedoversion. The result is that all vulns
for stdlib pages that begin at v0 are listed as affecting
even though they may have been fixed in later versions of Go.

This change removes vuln data for stdlib pages when requested
version is master.

Fixes golang/go#57327.

Change-Id: Ie9df8cb25bc3126397a49af349d401d3a1e2e994
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/460817
Run-TryBot: Jamal Carvalho <[email protected]>
Reviewed-by: Jonathan Amsterdam <[email protected]>
TryBot-Result: kokoro <[email protected]>

Author: jamalc

internal/vulns/vulns.go

@@ -14,6 +14,7 @@ import (
 	"golang.org/x/mod/semver"
 	"golang.org/x/pkgsite/internal/derrors"
 	"golang.org/x/pkgsite/internal/stdlib"
+	"golang.org/x/pkgsite/internal/version"
 	"golang.org/x/vuln/osv"
 )
 
@@ -48,12 +49,19 @@ func VulnsForPackage(ctx context.Context, modulePath, version, packagePath strin
 	return vs
 }
 
-func vulnsForPackage(ctx context.Context, modulePath, version, packagePath string, getVulnEntries VulnEntriesFunc) (_ []Vuln, err error) {
-	defer derrors.Wrap(&err, "vulns(%q, %q, %q)", modulePath, version, packagePath)
+func vulnsForPackage(ctx context.Context, modulePath, vers, packagePath string, getVulnEntries VulnEntriesFunc) (_ []Vuln, err error) {
+	defer derrors.Wrap(&err, "vulns(%q, %q, %q)", modulePath, vers, packagePath)
 
 	if getVulnEntries == nil {
 		return nil, nil
 	}
+	// Stdlib pages requested at master will map to a pseudo version that puts
+	// all vulns in range. We can't really tell you're at master so version.IsPseudo
+	// is the best we can do. The result is vulns won't be reported for a pseudoversion
+	// that refers to a commit that is in a vulnerable range.
+	if modulePath == stdlib.ModulePath && version.IsPseudo(vers) {
+		return nil, nil
+	}
 	if modulePath == stdlib.ModulePath && strings.HasPrefix(packagePath, "cmd/go") {
 		modulePath = vulnCmdGoModulePath
 	} else if modulePath == stdlib.ModulePath {
@@ -68,7 +76,7 @@ func vulnsForPackage(ctx context.Context, modulePath, version, packagePath strin
 	// package at this version.
 	var vulns []Vuln
 	for _, e := range entries {
-		if vuln, ok := entryVuln(e, modulePath, packagePath, version); ok {
+		if vuln, ok := entryVuln(e, modulePath, packagePath, vers); ok {
 			vulns = append(vulns, vuln)
 		}
 	}
@@ -107,10 +115,10 @@ func (e OSVEntry) AffectedModulesAndPackages() []string {
 	return affected
 }
 
-func entryVuln(e *osv.Entry, modulePath, packagePath, version string) (Vuln, bool) {
+func entryVuln(e *osv.Entry, modulePath, packagePath, ver string) (Vuln, bool) {
 	for _, a := range e.Affected {
 		// a.Package.Name is Go "module" name. Go package path is a.EcosystemSpecific.Imports.Path.
-		if a.Package.Name != modulePath || !a.Ranges.AffectsSemver(version) {
+		if a.Package.Name != modulePath || !a.Ranges.AffectsSemver(ver) {
 			continue
 		}
 		if packageMatches := func() bool {

internal/vulns/vulns_test.go

@@ -44,13 +44,30 @@ func TestVulnsForPackage(t *testing.T) {
 			},
 		}},
 	}
+	stdlib := osv.Entry{
+		ID: "GO-2",
+		Affected: []osv.Affected{{
+			Package: osv.Package{Name: "stdlib"},
+			Ranges: []osv.AffectsRange{{
+				Type:   osv.TypeSemver,
+				Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "1.19.4"}},
+			}},
+			EcosystemSpecific: osv.EcosystemSpecific{
+				Imports: []osv.EcosystemSpecificImport{{
+					Path: "net/http",
+				}},
+			},
+		}},
+	}
 
 	get := func(_ context.Context, modulePath string) ([]*osv.Entry, error) {
 		switch modulePath {
 		case "good.com":
 			return nil, nil
 		case "bad.com", "unfixable.com":
 			return []*osv.Entry{&e}, nil
+		case "stdlib":
+			return []*osv.Entry{&stdlib}, nil
 		default:
 			return nil, fmt.Errorf("unknown module %q", modulePath)
 		}
@@ -89,6 +106,16 @@ func TestVulnsForPackage(t *testing.T) {
 		{
 			"unfixable.com", "", "v1.999.999", []Vuln{{ID: "GO-1"}},
 		},
+		// Vulns for stdlib
+		{
+			"std", "net/http", "go1.19.3", []Vuln{{ID: "GO-2"}},
+		},
+		{
+			"std", "net/http", "v0.0.0-20230104211531-bae7d772e800", nil,
+		},
+		{
+			"std", "net/http", "go1.20", nil,
+		},
 	}
 	for _, tc := range testCases {
 		got := VulnsForPackage(ctx, tc.mod, tc.version, tc.pkg, get)